Linux 2.4's Firewalling

A reader writes "Dave Wreski finished an article for linuxsecurity.com on the security improvements available in the new 2.4 kernel packet mangling/filtering" This is a fairly basic level newbie type article (assuming you at least have a pocketfull of networking experience) and is worth reading to bring you up to speed on whats new and exciting.

looks interesting but NO CAN-DO

[gbd]

hi all (george here)

really this linux 2.4 firewall looks VERY INTERESTING but i cannot bring myself to actually create one, i have been told by VERY reputable sources that this would threaten the AMERICAN WAY

your bud

Firewalling is only a piece

[matman]

I've been getting more into host security over the past few months... and especially on linux. Anyone that's at all an expert, will tell you that firewalling is only one of many measures that can improve your security; its not even a very big one. Linux is STILL waiting for ACLs, file access auditing, wide use of capabilities (and through them the reduction of the need to have root do things). ACL support in ext2 (according to a post to the linux-kernel mailing list) was dropped in exchange for large file support. You can get patches for the kernel to support ACLs in other ways (often loading ALL ACLs into kernel memory). And, appart from running something like tripwire, how are you going to know if /etc/password gets opened in write mode? or if anything but login/pam (or whatever other program) opens /etc/shadow? Linux really needs to get these things into the official kernel. I want them! They're as important to me as firewalling. (sorry, I dont know enough C yet to write any of this within the next year or two ;)

Re:Is security a linux problem?

[whydna]

there's a really good book that you can find online (at www.linuxdoc.org under the guides section) called "Securing and Optimizing Linux - Redhat Edition". It's a pretty big doc (pdf is about 5Mb, if I recall correctly, almost 500 pages too). It may be a tad more paranoid that you think. But between that guide and a normal basic-linux-commands-type book, I think you'd be on your way.

As for telnetting into your box remotely, that has to do with "sniffing". Basically, Evil People(tm) could watch all the traffic on your network connection and simply grab your username/password as you type it. But, if you're not analy paranoid, and/or you don't share a connection with other people, and/or you trust your ISP... you'll be fine. As for RedHat 6.2, be absolutely sure you grab the updated RPM for wu-ftpd (the ftp server), it has a commonly exploited hole.

From what you say, you don't sound like you need to be running things like, a web server, ftp server, dns server, nfs server, etc, etc. So, don't. The guide tells you how to disable all that stuff. Most of it is what gets you in trouble. Also, I highly recommend PortSentry from www.psionic.com. It's kinda like ZoneAlarm... it'll identify people that are trying to attack you (well, port scan at least), and block them from connecting. It works very well.

Good luck!

I want IP Personality

[whydna]

There was a project started some time ago called IP Personality. It was supposed to help hide from os fingerprinting (ala nmap). The project seems to be defunct now... which sucks... I was really looking forward to this. It used IP mangling to make your packets look like other OSs (such as Windows, amiga, etc).

Sure, it probably won't keep the real bad guys out forever, but it'll certainly throw off the script kiddies. If anybody knows the status of the project, or other similar projects, it'd be great to hear something.

IMHO Rusty's filtering HOWTO is very clear.

[korpiq]

http://netfilter.kernelnotes.org/unreliable-guides /packet-filtering-HOWTO/index.html

It's well written, short, to the point. What else would you need?